[ratelimits] Referrals incorrectly limited.
jabley at hopcount.ca
Wed Jan 9 18:43:46 UTC 2013
On 2013-01-09, at 13:38, john <jbond at ripe.net> wrote:
> On 1/9/13 6:18 PM, Vernon Schryver wrote:
>>> From: john <jbond at ripe.net>
>>>> I do not understand "not under that attack at the moment" reasoning.
>>> The point is more that enabling the patch will block legitimate traffic.
>> Do you disagree with my claim that in almost all legitimate cases not
>> in the middle of an attack, RRL does not *block* DNS traffic but only
>> slows it down by forcing legitimate DNS clients to retry or switch to TCP?
> No I agree admittedly I do keep forgetting that fact; however the first
> concern I have is that if we force a lot of this traffic over to TCP we
> could start to exhaust TCP resources.
I like this approach (forcing TC=1 so that clients are forced to handshake) but I do worry slightly that enough brain-dead middleware exists in the world that tcp/53 is unavailable sufficiently that "almost hall" might need to be degraded to "some".
This seems like a hard thing to measure, since a failed retry with TCP is indistinguishable from there being no attempt made to retry with TCP.
More information about the ratelimits